One school of thought in the identity space recognizes relationships as the foundational component of our identity. We expose a different side of our true selves in each relationship. Ultimately, the aggregate of our relationships represents who we are.
The same school of thought claims that to truly capture the essence of our identity and leverage it in the digital realm, we need to build identity systems that account for relationship management as a critical part of the mental model. As a rule of thumb, we should be able to replicate the relationships we maintain in the physical world.
Given the above, how do the identity systems of today fare against this claim? Let’s dive into it.
The reality of the situation is that we are not embodied in the digital realm. We don’t exist in it as an independent agent with a certain amount of autonomy.
To participate in any activity online, we must register for an account in the identity system of the online service provider. With this action, we establish a relationship with the service provider.
To register for an account, we provide personally identifiable information to the service provider. In some cases (e.g. opening of a bank account), we have to go through the Know-Your-Customer / Identity Verification process. The data provided is usually collected and stored by the service provider. In the exchange for our data, we get the access credentials (username and password) for the online service.
To summarize: we exchange our data for access. Due to the sensitive nature of the data exchange, both sides end up with a big responsibility. We have to make sure that we securely manage our access credentials. On the other hand, our service provider is responsible for setting up technical and organizational measures to manage the collected data securely.
How does each party hold its end of the bargain?
Well, it turns out that both sides of the relationship don’t perform well.
Thousands of publicly available data breaches with tens of billions of records are exposed on a yearly basis. And yearly Top 10 data breach lists are as vibrant as any other musical chart list.
To add insult to injury, even the users relying on specialized password managers are not secure.
Maybe the idea of exchanging sensitive data between the parties and hoping they will know how to manage it securely is the actual problem.
What about the nature of the established relationship with the service provider? At least that works somehow, right?
Well, not really. The established relationship is not a symmetrical one between two equal parties. It is clear who has the upper hand. At any point in time, our access might be revoked by the service provider for whatever reason (justified or not). Hence, It is sad but true: we don’t exist outside of the administrative control of the identity systems we use.
Wait a sec. What about social logins? Don’t they solve (or reduce) the problem of exchanging sensitive data and the need to manage it securely?
Social logins are an improvement. However, not every service provider uses them. Even more important, the mental model behind these identity systems is the one that understands identity management as two main things: how to capture our data (identity record management) and what to do with it (authentication).
And as we stated before, identity is about relationship management, not about authentication alone. We can't use one representation in all our relationships because that is not how it works in the physical world.
So, what kind of relationship management should we be looking for in the next-generation identity solutions?
As in the physical world, we would be able to establish different types of relationships depending on the underlying purpose. Our engagement in a purely transactional conversation with the other party would result in an ephemeral relationship. If we are a returning customer of the other party, we might want to progress to a long lived relationship to experience the convenience that goes with it (e.g. discount).
It is important to note that the relationship would be symmetrical. To establish a relationship, both parties need to accept it. It might start as a purely conversational relationship, then develop and improve over time. As in the physical world, a relationship might degrade over time. That is fine because each party can leave a relationship at any point.
We would only exchange data required for the task at hand. The other party would not collect and store massive amounts of personal data. Instead, when needed, they can ask for it just in time. That would be a paradigm shift to the situation today as the main incentive for the data breaches would no longer be there.
We would exchange data over a secure, life-long communication channel that ensures confidentiality by default. The channel would ensure authenticity and integrity of the messages coming from the other party. Knowing who you are dealing with is an effective tactic against phishing attacks (one of the most recurring reasons for data breaches).
The messaging systems today are already supporting end-to-end encryption and authenticity checks. But, their identity systems do not recognize our existence outside their administrative control. And we are back at square one, stuck with exchanging our data for their access. And we have to manage access to as many messaging systems as our colleagues, friends and family use. That doesn’t make a lot of sense.
As a member of Swiss-based Netcetera Group, Blokverse is focused on delivering enterprise grade products and services based on blockchain technology.
We believe blockchain has the potential to be the ubiquitous integration layer in trustless environments. Based on that premise, we have delivered verify.it (a full-fledged platform for management of verifiable digital credentials) and Maenada (a product suite of self-sovereign identity solutions).
Recognizing the barriers to entry for blockchain technology are still high, we designed a consulting package to assist the businesses along the way. We support with knowledge buildup, planning and execution in all phases, from MVP to pilot to defining migration path for integration with the existing productive infrastructure.